一个“安全”的网站，每个页面都是加密的，但登录页面!

2007年，一家相当大的机构的国防部网站出现了错误配置，导致IIS web服务器提供原始代码，主页中有硬编码的用户名/密码和数据库服务器信息。幸运的是，它很快就被抓住了，但我确实目睹了它，这非常令人震惊。不用说，他们的网站被网络工程师关闭了，直到开发人员修复了糟糕的代码。

In the 1970's Stanford had IBM 2741 hardcopy terminals spread around campus networked to an IBM 360/67. Account passwords were three characters. During logon, the password prompt would overprint a three-position blob of about nine random uppercase characters, so the subsequently-typed password would supposedly be masked by the blob. However, everyone typed their passwords in lowercase, which were trivial to discern against the uppercase background blob. That meant you could usually walk up to any terminal, peruse the hardcopy typically left behind by the previous user, and easily logon with their account and password.

The worst security hole I've seen was from a (very very bad) hosting company. And even worse it was just some months ago (summer 2010)! You had to first connect to your hosting package control panel (you needed valid credentials). Once logged in all you had to change was the id GET token from the URL and voilà, you're in the control panel of another user! You have access (save/edit/delete) to emails, files, databases. The ids were sequential so you only have to do +1 and you're in the next account. I hope someone have been fired for this!

这是我和他们一起经历过的众多WTF之一!幸运的是，我不是他们的顾客!

两个系统之间的“统一登录”——这暴露了密码为免费文本.........在url中!!

这是一个“离岸”的政府项目。幸运的是，它很早就被注意到了。可怕的是开发人员并没有看到这么多的问题-真的让你怀疑。

去了一个汽车经销商的付费网站，会员费很高。只要用“test”作为用户名，用“Test1”作为密码。我进去了。